Majority of known methods of protected electronic communication are destined for communication between two subjects—a service provider (relying party) and a service user. Establishing the protected electronic communication is directly related to the target system with which the electronic communication is established.
Use of a login name and a password is currently the most widespread method for establishing protected electronic communication.
Other methods for establishing protected electronic communication are those where several types of subjects are involved in establishing electronic communication. This includes, for example, Public Key Infrastructure (PKI) systems which involve, in addition to the user and the service provider (relying party), also a certification authority and, in some cases, a registration authority. The certification authority and, where appropriate, the registration authority are incorporated in the process of preparation of the environment for the protected electronic communication in that they verify the identity of the user and issue and electronically sign a certificate which is subsequently used by the service provider (relying party) and the service user for establishing protected electronic communication between them.
Another method for establishing protected electronic communication increasingly used is based on the principle of Federated Identity. This includes, for example, the SAML, oAuth, OpenId, and WS-federation standards. In this case, an additional subject is involved in the establishment of protected electronic communication—an identity provider. The basic method in the principle of Federative Identity is that the service user accessing the system of the service provider (relying party) is redirected to the system of the identity provider where authentication of the user is performed and, after the authentication process is completed, the user is redirected back to the system of the service provider (relying party). At the same time the identity provider informs the service provider (relying party) of the result of the user's authentication. A special feature of the HTTP protocol existing as a default part of standard web browsers (HTTP redirect) is used to redirect the user between the service provider (relying party) and the identity provider and back. The user is redirected only to perform the authentication. The transfer and processing of the target information takes place between two subjects—the service provider (relying party) and the user.
There are also other methods for establishing protected electronic communication: methods based on the existence of unique hardware tokens, multichannel methods using various, mutually more or less independent communication channels for establishing protected communication, as well as new, highly automated methods of establishing protected electronic communication which are described e.g. in patent application CZ PV 2013-373—Method of Authentication of Secure Data Channel.
Once the protected electronic communication is established between two subjects using any of the above methods or other known methods (hereinafter referred to as “authentication systems”), thus making the communication channel secure, the two subjects transfer information in a protected manner and, if applicable, further process the information in a protected manner.
Additionally, specialised systems or applications are known which allow for mutual communication among several subjects; these include teleconferences, social network systems, electronic payments, electronic tickets and public transport tickets, etc. Some of these systems also require protected electronic communication, exchange and processing of information whereas it is reliably ensured that only identifiable subjects and no one else is involved in the communication and that the communication is protected in all security elements (integrity, confidentiality, availability and non-repudiation).
Where these systems require protected communication, they use some of the known methods of establishing protected electronic communication between two subjects, i.e. always separately for each user and each provider. This causes certain complications.
In practice, the systems for establishing communication among several subjects are either acceptably simple for the user but do not provide enough security (e.g. repeated prompting to enter passwords), or they can provide the required level of security but are so complex for the user that most users are unable to handle them in practice (for example, PKI) and refuse to use them.
Yet, in practice, there is a wide range of situations where several subjects need to communicate with each other at once. At the same time, it is necessary in these situations to ensure a level of protection which is high but still manageable by most users. These situations include, for example, electronic fare systems in various types of public transport, confirmation and verification of identity in trade and banking such as online payments, transactions in public administration including cross-border communication, communication in health care services, etc.